Service Abuse: DocuSign Share From an Unsolicited Reply-To Address

 1name: "Service Abuse: DocuSign Share From an Unsolicited Reply-To Address"
 2description: "DocuSign shares which contain a reply-to address or domain that has not been previously observed by the recipient organization."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // message is from docusign actual
 9  and sender.email.domain.root_domain == 'docusign.net'
10  and not any(headers.reply_to, .email.domain.domain == 'docusign.com')
11  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12  
13  
14  // not a completed DocuSign
15  // reminders are sent automatically and can be just as malicious as the initial
16  // users often decline malicious ones
17  and not strings.istarts_with(subject.subject, "Completed: ")
18  and not strings.istarts_with(subject.subject, "Here is your signed document: ")
19  and not strings.istarts_with(subject.subject, "Voided: ")
20
21  // 
22  // This rule makes use of a beta feature and is subject to change without notice
23  // using the beta feature in custom rules is not suggested until it has been formally released
24  // 
25  
26  // reply-to address has never sent an email to the org
27  and beta.profile.by_reply_to().prevalence == "new"
28  
29  // reply-to email address has never been sent an email by the org
30  and not beta.profile.by_reply_to().solicited
31
32  // do not match if the reply_to address has been observed as a reply_to address
33  // of a message that has been classified as benign
34  and not beta.profile.by_reply_to().any_messages_benign  
35
36tags:
37 - "Attack surface reduction"
38attack_types:
39  - "Credential Phishing"
40tactics_and_techniques:
41  - "Evasion"
42  - "Free file host"
43  - "Social engineering"
44detection_methods:
45  - "Content analysis"
46  - "Header analysis"
47  - "Sender analysis"
48id: "2f12d616-f47a-5259-8946-ac2e01940f6f"